icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
29 Mar, 2018 11:56

Gay dating app Grindr 'exposed millions of users’ location'

Gay dating app Grindr 'exposed millions of users’ location'

A tech company CEO has exposed two major security flaws in the gay dating app Grindr which could have placed its 3 million daily users at risk by sharing their location data against their will.

Grindr is the world's largest dating app for gay, bixsexual, transgender and queer people according to its website. Trever Faden, founder of property management company Atlas Lane, discovered a flaw in Grindr’s Application programming interface (API) that allowed users to find data that was previously unavailable, including deleted photos, which users had blocked them from and the location data of users who had opted out of sharing such information.

READ MORE: 1,200 pages of 'gay' priests' explicit chats, photos given to Vatican

Faden exposed this flaw and established the (now-defunct) website C*ckblocked which would sift through users' metadata along with their username and password. “One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” he explained to NBC.

Faden also discovered a second flaw in the app in which user data was sent unencrypted over the internet. Grindr claims it does encrypt user data and obscures user location despite not specifically denying accusations in the current leak in its statement published on Twitter. RT.com has contacted Grindr for additional comment.

"Anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing,” the company wrote.

“Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties."

Grindr’s API was patched on March 23 but the damage may have already been done. Grindr has users in 234 countries and territories worldwide but homosexuality is still illegal in more than 70 countries, and is punishable by death in at least 13, according to a 2016 report by the International Lesbian, Gay, Bisexual, Trans and Intersex Association (ILGA). Grindr users have been arrested in sting operations conducted by undercover police in Egypt, for example.

READ MORE: ‘Dating apps must work to prevent crime,’ say police as Grindr serial killer found guilty

“In territories where homosexuality is criminalized, or it’s otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users,” the company added in its recent statement.

The issues have come to light amid a major privacy scandal over Facebook in relation to the alleged leak of private user data of up to 50 million people via a third-party quiz on the platform.

Think your friends would be interested? Share this story!

Podcasts
0:00
28:21
0:00
25:26